Introducing The Cybersecurity Canon: Books You Should Have Read

1. A group of literary works that are generally accepted as representing a field: “the durable canon of American short fiction” (William Styron).

2. A list of writings officially recognized as genuine.

3. The list of works considered to be permanently established as being of the highest quality: “Hopkins was firmly established in the canon of English poetry.”

For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. In my new role as Chief Security Officer of Palo Alto Networks, I have to stay visible and well-informed, and make sure I’m an evangelist for the company. To me, these are books no one in our field can do without.

To me, the Canon isn’t purely technical literature and includes both nonfiction and fiction. Books that are how-to-manuals for the inner workings of security protocols, coding practices, standard operating procedures and the like are important, but there are plenty of books in those categories that are covered by the various technical and security certification programs. And unless the book describes some timeless aspect of the community, it doesn’t really meet the definition.

What I am looking for in this list are books that make us human; books that not only tell us how something works but why. The Cybersecurity Canon should include books that explain how we got here and describe the people that drove the community down this path. These books can be novels if they capture the culture correctly and can illustrate and educate the general public about the true nature of cybersecurity. They need to illuminate our timeless thinking on different adversary motivations like crime, hacktivism, espionage and war. They also need to describe realistic hacking techniques and cyber operations.

I’ll be presenting on this topic at RSA 2014 in February, and at that time I’ll discuss my first candidates for inclusion into the Canon. Between now until then, Palo Alto Networks will post my discussions of each of these candidate books so that interested people can preview them before the presentation if they are so inclined and can decide for themselves if they belong in the Canon or not.

Check back later today for the first entry in my series. Perhaps you might like to take exception with my list and offer other books for consideration. I welcome the debate. This should be fun.

It’s the ONLY book I’ve ever read that can be understood by average folks who “don’t understand computers.” It’s the story of a lad with considerable disabilities who was able to stumble into some highly sensitive networks with practically no skills. He was dedicated, though, and he persevered … and succeeded with his hacks. That he was ever found is an even better story.

This book should be used to show that the average user is still the biggest threat, and is the weakest link, in everything Internet.

Rick Howard6:30 am on April 29, 2014

I will put it in my reading queue.

Rick

Mike Martin6:38 pm on March 2, 2015

If you are willing to take suggestions for the Canon, here are a few:
Cyber Warfare:
Behold a Pale Farce by Bill Blunden
Black Code: Inside the Battle for Cyberspace by Ron Diebert

Cybercrime
DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny

Technical:
Security Engineering by Ross Anderson
Data Driven Security by Jay Jacobs and Bob Rudis
Silence on the Wire by Michael Zalewski
The Tangled Web by Michael Zalewski
Hacking: The Art of Exploitation, by Jon Erickson
A Bug Hunter’s Diary, by Tobias Klein
Practical Malware Analysis by Michael Sikorski and Andrew Honig
The Art of Software Security Assessment by Mark Dowd, John MacDonald and Justin Schuh
The Art of Computer Virus Research and Defense by Peter Szor

I can think of more, but maybe that’s enough for now

Mike Martin6:40 pm on March 2, 2015

If you had to pick one from the books I have mentioned, Security Engineering is definitely the one which should be read by everyone, although Behold a Pale Farce is the most thought provoking.